Third-Party Risk Management for Life Sciences Companies



Similar documents
Leveraging a Maturity Model to Achieve Proactive Compliance

IT Insights. Managing Third Party Technology Risk

Third Party Risk Management 12 April 2012

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Information Security Management System for Microsoft s Cloud Infrastructure

Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions

VENDOR MANAGEMENT. General Overview

SECURITY RISK MANAGEMENT

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

RSA ARCHER OPERATIONAL RISK MANAGEMENT

Italy. EY s Global Information Security Survey 2013

Click to edit Master title style

10 Smart Ideas for. Keeping Data Safe. From Hackers

Cyber Security and the Board of Directors

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

Supporting Effective Compliance Programs

Effective Model Risk Management for Financial Institutions: The Six Critical Components

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

Module 6 Documenting Processes and Controls

3 rd Party Vendor Risk Management

Cybersecurity The role of Internal Audit

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

Pharma CloudAdoption. and Qualification Trends

IT Governance. What is it and how to audit it. 21 April 2009

Managing IT Security with Penetration Testing

Managing data security and privacy risk of third-party vendors

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.bm

Leveraging Network and Vulnerability metrics Using RedSeal

Risk Management of Outsourced Technology Services. November 28, 2000

Report on Hong Kong SME Cloud Adoption and Security Readiness Survey

GoodData Corporation Security White Paper

Sytorus Information Security Assessment Overview

How To Transform It Risk Management

Cybersecurity and internal audit. August 15, 2014

Who s next after TalkTalk?

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

Governance, Risk, and Compliance (GRC) White Paper

Vendor Risk Management Financial Organizations

Board Portal Security: How to keep one step ahead in an ever-evolving game

Cybersecurity. Considerations for the audit committee

Maximizing Configuration Management IT Security Benefits with Puppet

How to ensure control and security when moving to SaaS/cloud applications

Managing cyber risks with insurance

Key Cyber Risks at the ERP Level

Effective AML Model Risk Management for Financial Institutions: The Six Critical Components

Risk Considerations for Internal Audit

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Into the cybersecurity breach

Proposed guidance for firms outsourcing to the cloud and other third-party IT services

IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE

Cyber security: everybody s imperative. A guide for the C-suite and boards on guarding against cyber risks

Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare

Strategies for assessing cloud security

Internal Audit Report on. IT Security Access. January January - English - Information Technology - Security Access - FINAL.

The Value of Vulnerability Management*

Global Network Initiative Protecting and Advancing Freedom of Expression and Privacy in Information and Communications Technologies

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

Addressing Cloud Computing Security Considerations

Five keys to a more secure data environment

Cloud Security Trust Cisco to Protect Your Data

Seamless Mobile Security for Network Operators. Build a secure foundation for winning new wireless services revenue.

Welcome to Modulo Risk Manager Next Generation. Solutions for GRC

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Risky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015

THE BLUENOSE SECURITY FRAMEWORK

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11

defense through discovery

HITRUST CSF Assurance Program

Guide for the Role and Responsibilities of an Information Security Officer Within State Government

Detect, Contain and Control Cyberthreats

RETHINKING CYBER SECURITY Changing the Business Conversation

Domain 1 The Process of Auditing Information Systems

Business resilience: The best defense is a good offense

Preemptive security solutions for healthcare

Best Practices for Building a Security Operations Center

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

Penetration Testing Service. By Comsec Information Security Consulting

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

PCI Compliance for Healthcare

Data Governance for Financial Institutions

RSA ARCHER AUDIT MANAGEMENT

The introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.

WHITE PAPER. Mitigate BPO Security Issues

Information security governance has become an essential

Visual Strategic Planning

ADVISORY SERVICES. Risk management in an evolving world. Making the case for social media governance. kpmg.com

Transcription:

April 2016 Third-Party Risk Management for Life Sciences Companies Five Leading Practices for Data Protection By Mindy Herman, PMP, and Michael Lucas, CISSP Audit Tax Advisory Risk Performance

Crowe Horwath The last thing a life sciences company wants is to have proprietary information stolen or confidential data made public. When a company delegates the responsibility for data security to an outside party, the risk of compromised data increases and managing the risk becomes a little more complex. When the company relies on a great many outside parties to provide a wide array of services, the thirdparty risk multiplies along with the complexity of managing it. That s when a mature and effective third-party risk management program is required. 2

Third-Party Risk Management for Life Sciences Companies: Five Leading Practices for Data Protection As life sciences companies (pharmaceutical, medical device, and biotechnology companies) increasingly rely on third parties for a variety of services, the challenges of effectively managing the associated risks are growing dramatically. Anybody trying to determine the sheer scope of third-party relationships throughout an enterprise is likely to be overwhelmed. In addition, successful coordination of third-party risk management efforts in a global organization requires planning, resources, and time. A company s use of third parties can be considered its extended enterprise a risk landscape stretching well beyond its doors and firewalls. A life sciences company is likely to use third parties that employ technology throughout their value chains, from research and development to marketing. Third parties with access to sensitive information, such as intellectual property, clinical trial patients health records, and proprietary product development data, extend the risk of the organization. Consider a research division that engages a supplier for cloud storage of molecule development details that are the intellectual property of the division s company. A supplier with weak IT controls that permit a hacker to steal or otherwise compromise the intellectual property could put the company s future earnings at risk. Five Leading Practices Companies often find setting expectations for third parties a challenge, partly because risks vary with each third-party relationship. To comprehensively evaluate third parties performance and mitigate the risk of working with them, a company first must establish the applicable processes and performance standards that third parties will be expected to adhere to. Setting expectations at the beginning of a relationship helps to maximize the value the company derives from the third party and manage the associated risks in alignment with expectations. As the number and complexity of third-party relationships increase, it is important for companies to task people who have knowledge of the organization with creating and carrying out work plans to address risk while managing the execution of contracted commitments. Although every company has its unique organizational dynamic, taking certain actions can help companies overcome the challenges of establishing an effective third-party risk management program, especially when information security and privacy are concerns. Based on our experience working with life sciences companies, we recommend that a company include these practices in its third-party risk management program: 1. Create a comprehensive list of third parties. 2. Focus assessments on the most relevant risks. 3. Increase the granularity of assessments. 4. Realize risk reduction by closing identified gaps. 5. Manage decisions with risk data visualization. A short discussion of each of these recommendations follows. www.crowehorwath.com 3

Crowe Horwath Identify Third Parties Establishing a clear and authoritative list of all third parties is often a more complex undertaking than expected. Companies with less mature risk management programs often don t have a complete book of record. In other cases, even if companies have in place a strong procurement process for engaging third parties, business units might circumvent the process and engage a third party directly or add on services that increase risk exposure, further complicating efforts to get a handle on the use of outside parties. Following are some of the techniques for identifying third parties and creating a master list: Monitor network traffic for cloud service providers. Compare exported accounts payable lists with a list of known third parties. Examine purchasing-card (P-card) spending. Go beyond third-party identification to include alliances and research partners, license arrangements, and other cooperative agreements. Include affiliates and globally procured services. Focus Assessments on the Most Relevant Risks Identifying all third parties that work with a company can yield a long list. It would be inefficient for most companies to assess the risk associated with every single third party they engage. Instead, companies typically narrow the third-party book of record into a more manageable list by using an assessment that provides a quantifiable value based on the type of services and the associated risks of the services. The risk assessment should include a series of questions that aligns with how a company uses the third party and drills down into characteristics that affect the likelihood of the impact of the associated risks. Following are some of the questions that can help assess risk related to protecting intellectual property, clinical trial data, and privacy: By what means does the third party access the company s data? How sensitive is the data? Is personal information, such as contact details, social security numbers, or medical records, included? 4

Third-Party Risk Management for Life Sciences Companies: Five Leading Practices for Data Protection At the end of a risk assessment, each third party receives a risk rating on a rating scale. These ratings allow for the list to be further prioritized and for the company to decide which third parties require due diligence. If clinical trial details on the identities of 10,000 patients are stored in the third party s system, the risks associated with using a software as a service (SaaS) application are higher than the risks of using a hosted application that contains only anonymous marketing data about consumers. Companies should assess other risk areas such as operational, patient safety, regulatory, compliance, pipeline, contractual, and financial risks in addition to data security risks to efficiently address all relevant areas at once. Coordinating assessment activities across the company s control functions encourages the effective use of both the company s and the third party s time. Increase the Granularity of Assessments Control assessments are essential for pinpointing the gaps areas in which risk could be heightened because third-party controls don t meet company standards. A control assessment investigates whether a third party has protections in place that are adequate for providing the service or services it was engaged to deliver. To confirm that the third party is meeting the company s previously established expectations, this effort should be tied closely to the company s policies and standards. The control assessment s in-depth analysis often covers areas such as the following: Personnel management. What are the third party s personnel controls, and how does it screen applicants? Are appropriate policies and procedures constructed to govern employees and activities? Network. How is data loss prevented? How strong are the network detective and preventive controls? Are the network access controls adequate? Data management. Is an adequate user management process in place? Is encryption used to help ensure that only authorized personnel can access information? Platform security. Would the patch and vulnerability management process in place be able to prevent or thwart an attack on the system? Sometimes third parties are reticent to share documents during a control assessment. Using a screen-sharing tool is one way to navigate this challenge. In addition, third parties might be more willing to share information from Statement on Standards for Attestation Engagements (SSAE) 16 and Service Organization Control (SOC) Reports. Those documents, however, usually fail to contain 100 percent of the information an in-depth assessment requires, underscoring the importance of data gathered in a granular risk control assessment. www.crowehorwath.com 5

Crowe Horwath Realize Risk Reduction by Closing Identified Gaps An effective third-party risk management program not only detects risks but also helps to close the identified gaps. Many companies struggle in this area; they might excel at identifying gaps but can find it difficult to close them. Tracking gaps with a corrective and preventive action process and tasking the business unit that has engaged a third party with strengthening identified weaknesses can help to reduce the risks. It is also helpful for the company to have someone providing oversight and technology enablement to track the gaps until they are closed. Following are a few approaches to addressing gaps identified by a control assessment: Remediate the risk. Third parties often respond to a client s concerns by fixing identified gaps patching their systems, strengthening firewall rules, or addressing poor password protection, for example. Mitigate the exposure. A company might take action on its own to mitigate identified risks. For example, a company could limit the types or quantity of sensitive data a third party processes, thus decreasing the relationship s overall risk. Accept the risk. With an understanding of the potential risk, a company could decide to accept the control gap. Terminate the relationship. If remediating, mitigating, or accepting the risk associated with a particular third party is not possible, a company might decide to stop working with the party. Manage Decisions With Risk Data Visualization To contribute meaningfully to a company s risk management program, stakeholders need to possess the right information and understand how to interpret it. Interactive dashboards and graphics, as well as static charts and diagrams, are excellent tools for visualizing risk data and supporting each individual and team s decision-making processes. For example, employees who directly oversee third parties can benefit from actionable and specific reports that highlight the risk areas that must be accepted, mitigated, or remediated. Particularly when a third party works with multiple areas of a business, reporting clarifies what needs to be done and assigns accountability for each activity. It is also beneficial for company employees on the front lines of risk management to revisit risk assessments periodically, because sometimes the company s third-party relationships expand or otherwise change over time. Revisiting periodically helps to ensure that the risk management activities the company takes with a third party match the risk profile for using that party. 6

Third-Party Risk Management for Life Sciences Companies: Five Leading Practices for Data Protection At the same time, other stakeholders might need to understand the company s entire portfolio of risk and relevant developing trends. It s necessary for this group to both see the bigger picture by category, functional area, or specific risk and drill down into details. More detailed queries could, for example, be about high-residual-risk third parties that store or process sensitive information or high-operational-risk third parties with unresolved disaster recovery gaps. Because third-party risk is managed by multiple people in an organization, each stakeholder in the third-party risk management process needs to understand his or her role and responsibilities and have the information needed to carry them out efficiently. When the employees with accountability for managing risk have access to reliable, data-driven reports, program efficacy increases. Further, the board of directors needs accurate reports in order to fulfill its fiduciary duty to see that risks of all kinds, including third-party risks, are managed appropriately. Perpetual Vigilance Developing a complete third-party book of record, prioritizing risks, and increasing the granularity of risk assessments are valuable ways to determine where a life sciences company s most relevant risks related to service providers might hide. However, if the company does not mitigate the identified risks actively and consistently, it s unlikely to reach its goals. Putting a consistent level of effort into the entire cycle of the program is likely to more effectively close control gaps and reduce risk associated with the use of third parties and help to protect the important data that life sciences companies store and use. It can be daunting to begin building a risk management framework from the ground up, or even to admit that an existing system needs improvement. Once committed to sustaining an effective third-party risk management program, a company is likely to be prepared to anticipate potential threats rather than simply react to them. Dedicating time and resources up front is likely to reduce risk and deliver a return on the investment in third-party relationships, thus enabling companies to reduce costs, focus on core business activities, and encourage innovation. www.crowehorwath.com 7

Contact Information Mindy Herman is a principal with Crowe Horwath LLP and can be reached at +1 317 706 2614 or mindy.herman@crowehorwath.com. Michael Lucas is with Crowe and can be reached at +1 317 850 3651, +44 (0)7525 809554, or michael.lucas@crowehorwath.com. www.crowehorwath.com In accordance with applicable professional standards, some firm services may not be available to attest clients. This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction. 2016 Crowe Horwath LLP, an independent member of Crowe Horwath International crowehorwath.com/disclosure RISK-16018-004F

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information